back to article New software ported from Windows to Mac! You'll never guess what. Yes, it's spyware

Miscreants have ported five-year-old spyware XSLCmd to OS X. The Windows version of the malware has been around since 2009, and the Apple Mac edition of XSLCmd shares significant portions of the same code. It can open a reverse shell to its masters, automatically transfer your documents to a remote system, install executables …

  1. Bush_rat
    Holmes

    Bigger Question...

    Is this malicious JS browser and OS specific or is it a universally available "flaw" in JavaScript that allows this?

  2. Ole Juul

    More hints please

    How does this attack get local privileges?

    1. Anonymous Coward
      Anonymous Coward

      Re: More hints please

      >How does this attack get local privileges?

      A popup appears and asking you to open a terminal and type:

      chmod +x malicious.command

      /joke

    2. SuccessCase

      Re: More hints please

      "The mechanism to pull in the code is tucked away inside blocks of Google Analytics code. Once executed, the JavaScript gets to work pulling in and installing XSLCmd."

      Rather seems to assume there a a zero day exploit available Apple is not aware of right now. Which to be honest, there probably is, as there are such latent exploits somewhere in most if not all operating systems. But the bigger question and story is who knows about such an exploit and how widespread can it be before it gets closed down. Can there be one in JavaScript in particular that works across all Macs, and even with restricted privileges which even admin accounts have these days as standard?

      I could write software "to launch nuclear warheads." The interesting thing is not so much if software has been written but who owns the machine it has been installed on how it was installed and (most importantly for my missile launcher software - what it is linked to.)

      1. Anonymous Coward
        Anonymous Coward

        Re: More hints please

        'Google Analytics Code' ? WTF

        so this must get downloaded via a browser. Is it little wonder that the gazillion of Ad servers and tracking sites (many in the google domain) that sites seem to link to theses days are blocked by Adblock and NoScript.

        If I really have to visit a site that won't work without all this crud enabled then I fire up a Windows VM and use that. Once done, the VM files are restored from a backup. There again, I'm slightly paranoid. Perhaps this is a good thing for once.

      2. Mike Bell

        Re: More hints please

        Rather seems to assume there a a zero day exploit available

        No, it doesn't. It's just a bit short on detail. They've described the sneaky way that its download is triggered, and what happens when it's executed, but they don't say how it gets executed and what's required in order for that to happen. In particular, whether or not the user is prompted by the OS to accept the install. Maybe that's why they describe it as category 1 low risk.

        1. Anonymous Coward
          Anonymous Coward

          Re: More hints please

          It's just a bit short on detail. They've described the sneaky way that its download is triggered, and what happens when it's executed, but they don't say how it gets executed and what's required in order for that to happen.

          Exactly my thoughts. Even if there are fewer backdoors in OSX (it would be folly to think there are none, even if we're talking about a risk several factors lower than with Windows), no OS is impervious to users being duped into permitting a malware installation.

          Having said that, running OSX without admin rights is as much a pain in the neck as it is with Windows. I would really, really like manufacturers and suppliers to code at user level so you could install a program as a user without the need for any more privileges (and thus the risk of doing something dodgy with those rights). This is ESPECIALLY true when it concerns stuff that's seriously flaky such as Java or anything even *touched* by Adobe.

          1. Dan 55 Silver badge

            Re: More hints please

            You what? Most .apps can be placed somewhere in the home directory and ran perfectly well on OS X but it's better to move them to /Applications and enter the admin password when prompted as then it won't be possible for software running with standard user rights modify them later.

            If you really wanted to there's a local version of the Internet Plugins folder, with a bit of tinkering you might even be able to move Flash and even Java there.

            As for Semantic's XLSCmd page half of the advice given in the bullet points at the end is for Windows. And it doesn't explain how it launches itself, so it probably requires the user to double-click on it to run it with standard user rights.

          2. Anonymous Coward
            Anonymous Coward

            Re: More hints please

            It's exactly because of security plain users should be allowed to run application but not install them. If any user can install executables, it's far too easy to install malware anywhere and the wait for some privileged process run it....

            One solution may be fully sandboxing each application, but again you're going to lose a lot of interoperability features you expect from a many complex softwares

            Security comes at a price, you'll need to perform some operations with different privileges when those are needed, and drop them afterwards.

          3. Anonymous Coward
            Anonymous Coward

            Re: More hints please

            "Even if there are fewer backdoors in OSX (it would be folly to think there are none, even if we're talking about a risk several factors lower than with Windows) "

            Nope - there are far more holes in OS-X than any version of Windows:

            http://secunia.com/community/advisories/product/96

            2118 vulnerabilities

            1. This post has been deleted by its author

            2. This post has been deleted by its author

            3. Anonymous Coward
              Anonymous Coward

              Re: More hints please

              http://secunia.com/community/advisories/product/96

              2118 vulnerabilities

              Look, you may just have joined Microsoft marketing, but I must advise you that quoting numbers WITH attribution is something that MS never does because it's too easy to discover how they manipulated the facts (I learned this at MoD when we started to take their presentations to the top brass apart).

              You see, what you just quoted is the total number of vulnerabilities over the ENTIRE life of OSX. That's 2118 distributed over all versions of OSX since it's introduction in 2001 - which was the same year Windows XP came on the market.

              If we add vulnerabilities up over the life of Windows until now (XP home/pro until Win 8.1) you end up with 2453 vulnerabilities, and that is still only 25% of the story, because you would omit:

              - 1406 security advisories vs 179 for OSX

              - the fact that MS leaves things unpatched (although that is getting better, from 10% in 2001 to 3% now with a best of 1%) vs nil for OSX

              - the staggering amount of malware for Windows vs the fairly trivial amount of malware for OSX, the latter is mostly Trojan based whereas Windows has a lot of "you only have to visit this webpage to get infected" drive-by exposure. Sadly, anti-virus vendors have stopped identifying infections per OS, probably because they would otherwise face the wrath of Microsoft or they'd make people switch OS and so kill their own business..

              Care to try again? The above doesn't support the Windows platform *at all*

              1. Anonymous Coward
                Anonymous Coward

                Re: More hints please

                "If we add vulnerabilities up over the life of Windows until now (XP home/pro until Win 8.1) you end up with 2453 vulnerabilities,

                That's without allowing for the fact the many of these are not unique vulnerabilities - but are the same hole being fixed in multiple OSs.

                "and that is still only 25% of the story, because you would omit: - 1406 security advisories vs 179 for OSX"

                Actually the Microsoft advisories total is much lower than you state - because you are quadruple counting cross platform advisories. But it's hardly news that Apple can take YEARS to fix critical holes, and that you have a much longer average time at risk (Average 91 days!) - http://krebsonsecurity.com/2011/11/apple-took-3-years-to-fix-finfisher-trojan-hole/

                "the staggering amount of malware for Windows vs the fairly trivial amount of malware for OSX"

                Because hardly anyone uses OS-X. Just look at Android (more Malware these days than Windows!) for an example of what would happen if OS-X were actually popular.

                "malware for OSX, the latter is mostly Trojan based whereas Windows has a lot of "you only have to visit this webpage to get infected" drive-by exposure"

                Actually most OS-X malware is 'drive by' - for instance http://www.intego.com/mac-security-blog/os-x-malware-tibet-variant-found/

        2. Anonymous Coward
          Anonymous Coward

          Re: More hints please

          It's low risk now because it's not widely distributed (yet, and the target needs to visit a compromised site. It's not something that can exploit a vulnerability from remote without user action.

          But if it's able to keylog, and open a remote shell, it's pretty dangerous.

          1. Mike Bell

            Re: More hints please

            It's low risk now because it's not widely distributed

            Source, please.

            Any software that can keylog or open a remote shell is pretty dangerous. But if the user doesn't allow it to be installed, it's not dangerous at all. As I mentioned above, the malware description does not state what user interaction, if any, is required for it to run, e.g. whether they will be prompted by the OS to elevate permissions to do an install.

            There's tons of malware out there on the web. I've lost count of the number of times I've seen a web page drop some failed executable right into my trash folder on OS X.

    3. Anonymous Coward
      Anonymous Coward

      Re: More hints please

      You know in the article there are words in blue?

      Well they are hyperlinks, click on them and you will be taken to information about the issue.

      If you are a bit worried about links, for example you might go to a bad place, well

      here is the link you need

      http://www.symantec.com/security_response/writeup.jsp?docid=2014-090508-3005-99&tabid=2

      1. Anonymous Coward
        Anonymous Coward

        Re: More hints please

        And that's how the "Watering Hole" attack works: press the blue words.

      2. Anonymous Coward
        Anonymous Coward

        Re: More hints please

        "Here is the link you need?", Aimee

        What I think 'Ole Juul' wants to know is, how exactly is this malware supposed to execute-and-install on the client machine, without explicid actions taken by the end user.

        "When the Trojan is executed, it registers itself to LaunchAgent so that it starts automatically." ref

      3. Ole Juul

        Re: More hints please

        Nice snark @Aimee. :) I'm not particularly smart, but I wouldn't be assuming that other people don't read the complete article, which includes links. Yes, I do concern myself with where links go, but my UNIX box is locked down pretty tight - hence my interest in how a Trojan would be able to execute. Perhaps one of these days it could be a reality.

        The Symantec article starts with "When the Trojan is executed, . . . " which doesn't give me a lot to go on.

        1. Anonymous Coward
          Anonymous Coward

          Re: More hints please

          The Symantec article starts with "When the Trojan is executed, . . . " which doesn't give me a lot to go on.

          Standard sales tactics apply here by embedding an assumption, the correct phrase should be "IF the Trojan is executed" which would leave room for a discussion of attack vectors so that you could assess how likely it is that you'd be landed with this one. As it's labelled a Trojan it suggests this thing sails under a false flag, which hints at a need for social engineering or a craze like the Windows toolbar misery.

          Personally, I think attack vector knowledge is the most important knowledge of all - I *know* that malware is going to be bad in many ways once its past the gates, I want to know how to keep the damn thing out. Having said that, I run non-admin with a system locked down with Hands Off which even prevents unauthorised disk access - I'm not of a very trusting nature anyway :).

    4. This post has been deleted by its author

  3. Mark 85

    I wonder....

    This is second or third story that mentions "watering holes". Since El Reg could be considered one... are we in line for malware?

    1. chivo243 Silver badge
      Boffin

      Re: I wonder....

      I consider El Reg a hangout. But not a defined audience. Maybe mac fan websites would be juicer low hanging fruit?

  4. Anonymous Coward
    Anonymous Coward

    Probably more than this out there. Mac users like think their immune to such things and tend to treat security as a windows only problem. While I agree that windows is targeted more times than not, macs have become very popular, hackers take notice of these things.

    1. SuccessCase

      As a Mac user who has never thought he is immune to such attacks (though one who would be right to think he is less likely to be on the receiving end of such attacks), it rather seems to me the issue is more the number of commenters who like to think Mac owners like to think x, y or z.

      Narrow minded generalisations targeting one or other group are just so damned tedious, and rarely show any insight into anything other than the keyboard wanking habits of the author. But perhaps that's just me making a narrow minded generalisation, albeit one not targeted at any clear or partisan group.

    2. Ole Juul

      thinkage

      Mac users like think their immune

      I don't use a Mac, but I also like think my immune.

      1. Jan 0 Silver badge

        @Ole Juul Re: thinkage

        I like upvote you're thinkerage.

    3. Anonymous Coward
      Anonymous Coward

      "macs have become very popular"

      No - no they havn't. Even Windows 8 is more popular than OS-X.

  5. Anonymous Coward
    Anonymous Coward

    @SuccessCase

    I have but one upvote to give.

  6. Frankee Llonnygog

    Google Analytics...

    For real fun, implement Google Tag Manager. Then anyone who can guess your email address and password can include JavaScript on your website

    1. HelpfulJohn

      Re: Google Analytics...

      Password for the website or for the email? I would always make those different from each other.

      As I don't have a website I doubt installing GTM would either work or help Google and The BadGuys(TM). (New pop group?)

      I did "google" it and have a look but it looked like far too much effort to go to just to make a few friends in the malware industry.

      The Reg report looks like yet more FUD from someone who barely knows how to plug a Mac into the wall and who knows less about security on Macs than my cat does.

      Maybe I should stop looking for real information in the Reg and just treat it like any other web comic? A bit of light entertainment without any real-world connection.

  7. cd

    symantec.com is my idea of a bad place. If the Reg keeps doing these important-content-free articles it's going to be right up there.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like